The reality of cyberwarfare is total war

June 17, 2015

Many current military strategists, information technology experts, and futurists will harp until they’re blue in the face about what cyberwarfare looks like. There was a decent movie about hostile hackers who attacked Western infrastructure, Blackhat, an apt name that coincides with the three types of hackers: black, gray, and white. With so many ideas and theories floating around about what cyberwarfare between countries could look like, have any of them actually engaged in it?

Even further, can any of them talk about it? Actually, I can.

The recent attack on U.S. networks, allegedly the work of Chinese hackers, is no different than striking an airbase in Asia or an army garrison in Germany or Poland. The hacking of the Office of Personnel Management’s (OPM) background investigation files is akin to stealing nuclear codes.

The real pros engage in offensive counterintelligence, which aims at recruiting spies inside the enemy camp, particularly inside the opposing intelligence service. That’s how you gain control of the enemy’s central nervous system: You know what he knows about you, hence you can deceive him at a strategic level.

But how is this more dangerous than some of the usual games that spies play? It's because of how some Chinese and Russian hackers see the United States as the enemy. The U.S. is and will always be "the main enemy" to them, until the country is so severely hampered that it cannot function as a competitor on the world stage (best case) or it ceases to exist as a functioning republic (worst case). Make no mistake, they are in it to win it, even while we’re busy playing by the Queensberry Rules.

So where does this leave U.S. cyber security after the OPM hack? Here's a relatively brief explanation.

1) This hacking of OPM wasn't the first and won’t be the last compromise of critical information

Remember, cyber warfare is continuous. The adversaries are not satisfied and will use this information to filter likely recruits for espionage, primarily access agents—people who can facilitate collection efforts while not directly engaging in actual “spying.”

2) Once in place, hooked to spy for a U.S. adversary for various reasons (including ethnicity, family ties, or blackmail), the newly recruited asset can now act in perpetuity

Spies are recruited because of their access to crucial information and the adversary can decide what they'll need. Think of it like hiring a new employee.

3) After the asset is in place and functions regularly for the adversary without detection, small things are asked of the new asset

This includes unclassified reports, taking notes at meetings, checking in, getting emails from coworkers, phone numbers, etc., all of which may be unclassified but useful to the adversary all the same.

4) However, things have changed on the international front

Forces are being moved forward and the world waits with bated breath. Meanwhile, the asset has increased his collection efforts gathering more classified information and, just as John Schindler described, "gaining control of the enemy’s central nervous system.”

5) Then it’s time to execute and use the asset in place

Adversaries know we use the Internet for command and control of some critical assets, particularly some logistical work. While war stocks, bombs, and bullets are being moved forward into the area of operation, the insider begins running malicious code on the network. He's not really doing it and he’s too valuable to be discovered, so he plugs in a USB with a callback program that runs in the blind to the users and possibly system administrators. Phishing emails get delivered to coworkers and, in my experience, despite all the training, roughly 18 to 25 percent of employees will click the links that run malicious software on their computer.

In the process, the adversary gets more computers—and the more computers he has, the clearer his network intelligence picture becomes and the more damage he can do.

6) This ping back says to the adversary: “Here I am. Hit me”

And they do. We’re talking about other countries here, so they have the ability to target a computer with hundreds, if not thousands, of hackers at a time, and can work slowly. So frankly, the work may already be done. Think about that for a second. The ping works and the attack is underway. Before any successful operation, the target must be first found and then fixed. That goes a lot more smoothly on the network if you have someone helping steer you towards the right computer or server to hit.

7) At this point, the attack is successful and leaves little to no trace of activity

The adversary is now inside our logistic chain and is already affecting our ability to function. He’s moving decimals around. Replacing numbers in spreadsheets with incorrect requests. Nothing too serious, just enough to make a difference and hope to not be noticed. Simple things like fuel requests and printer paper potentially escalate to bombs, bullets, and even men.

8) The war starts and we’re winning

It's going well for us. We’ve survived the initial onslaught and have held the tide. But the adversary has their man on the inside and his previous actions have already given them what they need. The adversary then shuts down our Internet and disables our ability to use some of the critical pieces to our command and control. There is already a precedent of Russia being able to do this:Estonia (2007), Georgia (2008), Ukraine (2014 to present). But to be honest, most of Ukraine’s Internet service providers ran through Russia, so the hacking started taking place as soon as the first cable was dropped in country.

9) So what happens next?

There’s some impact but now we’re able to function. We have a classified communication system right? Yes. But we’ve already identified we have at least one insider. Think of the damage an Edward Snowden could cause during a shooting war. Game over.

The above scenario is ultimately what we’re looking at when it comes to cyber warfare. Total war is everywhere and the adversary will use everything at their disposal all the time, building spy networks to identify the actual computer networks we use for various governmental, military, and intelligence functions. The OPM hack was just the start—and it won’t be the last. Cyberwarfare does not necessarily mean a power plant being shut down, nor does it mean someone defaces a website. It means using one’s network against them for whatever purpose the adversary desires.

I am involved in testing security measures and I see it during every assessment. Sometimes we don’t get the network from the outside, but we get someone inside the building who can facilitate access to the correct computer. Other times, the cyber team I partner with hacks a security manager’s terminal and puts me on the access roster. Then I’m in and unquestionable because I’m “cleared.”

But most satisfying and disturbing is when I’m able to give the cyber team access and see the damage they can do. Notional planes have been shot down because they were able to collect battle plans on the network. Ships have been sunk. The scenario above where we moved numbers around on supply requests? It happened all the time, but we also do it to operational planners. Instead of a strike package of 10 aircraft, you get four because of maintenance issues.

Cyberwarfare is not just ones and zeroes. It’s physical and has a very real affect on the battlefield—which, to our adversaries, is everywhere.